Archive for: March, 2012

Giving Away Your Passwords

You might have seen the headlines from the past couple of weeks detailing how some employers were demanding employees hand over their Facebook passwords or else. Privacy violation?  Just a little.

Unfortunately, the House voted down an amendment that would prevent employers from making this ludicrous request.  After reading the rebuttal, I’m hopeful that this legislation will make its way through in some form or another.

Thankfully, humans asking for your social media passwords during job interviews is a rare practice.

On the other hand, websites asking for your account passwords isn’t.  We call this the Password Anti-Pattern.   When a third-party website asks you to input your username and password to another service, like Facebook or Twitter, run for the hills!

Password Anti-Pattern

Notice how the site above is asking you directly for your Twitter password.  Bad!  What they should be doing is redirecting you to Twitter to authenticate in person, so to speak.  Like this:

OAuth (The Right Way)

Usually the intent of the website employing the Password Anti-Pattern is good – they’re not trying to be snoops (unless the site is actually an evil phishing site).   Rather, it’s likely they want to help you find your friends, import your photos, or in some way improve the experience of their application by connecting to others.

But despite the good intent, disastrous problems can arise.  Say you want to let App XYZ import your Gmail contacts.  The app asks you for your Gmail password and you happily hand it over.  Now you’re entrusting them to store that password securely, and the sad truth is, they’re probably not.

Now imagine you let 15 other apps do the same thing.  One of them is breached.  If you don’t change your Gmail password soon enough, they can lock you out.  What’s worse, most applications you use let you reset your password via email.  Thus we typically consider our email passwords keys to our castles.

Even if you do manage to change your Gmail password in time, now you have 14 apps that you have to update to reflect this change.  It’s a nightmare!

The good news is there’s a better way to grant one website safe, limited, and controlled access to another.  It’s called OAuth.  Think of it as a valet key.

Stay tuned.  Next week we’ll talk more about OAuth – what it is, how it works, the pluses and the minuses.

Fixing the Open Shares Problem

I recently spoke with an IT administrator who had started a manual open share cleanup project—finding and locking down folders and SharePoint sites open to global access groups like Everyone, Domain Users and Authenticated Users. After removing the everyone group from several folders, they began to receive help desk calls from people who had been actively accessing data through those global access groups prior to their removal, and were now unable to perform their daily activities because they had lost access. This went on for two weeks or so—each time someone called, they had to apologize for the disruption, and quickly add that user to a group on the folder’s ACL.

According to the administrator, the manual process took about 6 hours per folder. With the number of folders they had found, this would mean about 3 months of work for 4 people–quite a time consuming effort. How were they going about fixing these manually? Here is a rough outline of the steps they used:

  1. Identify folders open to the global access groups, like everyone, authenticated users, domain users, and users
  2. Turn on object access success auditing for those folders and collect as much audit data as the server could stand
  3. Analyze the audit activity to try to create a list of users that access these folders
  4. Determine the users that have no way to access those folders other than the global access group you’re trying to remove
  5. Add users from step 4 to a group that’s on the folder’s ACL, or create a new group and add the users (assuming those users are supposed to have access)
  6. Remove the global access group
  7. Wait by the phone

Despite their painstaking process, the voluminous audit logs and the complexity of their permissions made it impossible to remove global access groups without disrupting their users’ workflow. That’s a lot of effort to go through to end up with unhappy users. This is one example, but IT often finds itself in this dilemma when trying to fix open shares: leave the data exposed and run the risk of data theft, loss, or misuse, or lock the folders down and risk productivity should a user or users be cut off from data they need.

In a future post we’ll talk about how to clean up open shares using the simulation capabilities available with a metadata framework.

10 Things IT Should Be Doing (But Isn’t): Free On-Demand Webinar

On our last webinar: 10 Things IT Should Be Doing (But Isn’t), we reviewed some of the challenges associated with unstructured data management and protection. IT requires the ability to answer critical questions about data in order to efficiently and effectively protect it. Some of these questions are:

  • Who has access to data?
  • Who has been accessing data?
  • Where is my sensitive data over exposed?
  • How do I fix exposures?

During the webinar we gave an overview of 10 things IT should be doing to answer these and other fundamental questions, and put the answers to productive use. Maintaining a complete audit trail of access activity, an accurate map of permissions, and identifying data owners are a few of the things IT should be doing. We reviewed why each one of the 10 things is important and what to look for in an automated solution.

If you missed our webinar, click here to play the recording.

How to Accelerate Your Upgrade From Office 2003 with Office Migration Plann...

Yesterday I was speaking with an attendee at Data Connectors Boston who is involved in a project to upgrade his company’s workstations to Office 2010 from Office 2003. There are a few compatibility issues to be aware of when upgrading from one version to another—a big one is that some document macros will need to be updated in order to work with the new version.

Thankfully, Microsoft has provided Office Migration Planning Manager, or OMPM, to identify potential issues before upgrading. However, in a large environment there can be a lot of these files, and for some organizations (like this one), it wasn’t as simple as just hitting the “fix” button. Owners for these files need to be found, decisions need to be made, and updated macros need to be tested.

This is almost identical to the issues that organizations have when they’re first scanning their files for credit card numbers or other regulated content: once they’re found, the next steps are to find the owners of those folders and sites contain these files and make decisions about how the data should be protected. A lot of context is required to accomplish these steps, including a map of permissions and a searchable audit history—this is the kind of context awareness that a metadata framework provides.

A similar approach can be used for the files that OMPM finds: find the owners of the folders that contain them based on usage and other active directory metadata, determine who (if anyone) uses them, then update and test the files that need updating.  Count this among the many data management tasks that benefit from better usage and accessibility context.

Forensic Investigation of Data Theft (Part 3)

In my last post, we determined that someone added a fictitious user account, “Allen Carey,” to Active Directory and this account was used to steal trade secrets from “Alpha Chemicals.” Fortunately, you had the foresight to install the DatAdvantage suite of products which will help recreate the activities performed by “Allen Carey” but more importantly, will help you ensure that your trade secrets are properly protected and monitored.

As you know, DatAdvantage provides a full audit trail, tracking both event activity and permission changes in a single interface.   As a result, complex activities–such as correlating the activities performed by any user account across multiple platforms–is a simple task.  In our hypothetical situation, the activities performed by “Allen Carey” were performed within Active Directory, within Windows Servers, within SharePoint and within Exchange. The “Allen Carey” account made permission changes and was used to obtain sensitive information–information that could devastate the financial future of our hypothetical company, “Alpha Chemicals.“

By using DatAdvantage you’ve determined the following:

  1. On November 18th at 6am (during the company’s change management window), Carol Edwards domain admin account was used to create a new user, “Allen Carey”
    1. Carol Edwards then  added “Allen Carey” to the domain admins group
    2. Carol added “Allen Carey” to the R&D group within Active Directory
    3. Carol added “Allen Carey” as a delegate to Bob Darwin’s Exchange Mailbox
    4. Carol then added send-as permissions to “Allen Carey’s” email account as well as a number of others
  2. On November 18th at 6:30am Carol Edwards subsequently removed “Allen Carey’s” account from the domain admins group
  3. All of the above changes were made from the from the IP address

DatAdvantage also revealed that:

  1. Between November 18th and December 1st, “Allen Carey” performed a number of underhanded activities including:
    1. Opening documents which contained the words “Transparent Aluminum” within the the R&D SharePoint Site
    2. Opening documents which contained the words “Transparent Aluminum” within the R&D File Server and reading each of the relevant files
    3. Opening documents which contained the words “Transparent Aluminum” within the R&D public folders and reading each of the relevant files, also from the IP address
    4. Reading email sent to Bob Darwin, who worked in R&D and specifically within the “TP” Group
    5. Marking all of the Email messages that he viewed as “unread”
    6. Using the SharePoint site to learn about collaborative activities within the R&D department
    7. Reviewing financial analysis documents sent by Bob Darwin to the finance department
    8. Using his Exchange “send-as” permissions to email documents to Bob Darwin’s new public email account (that “Allen Carey” created)
  2. After a very brief investigation, you found that Michael Allen, a temporary employee, was using a workstation with the IP address, the same workstation used by “Allen Carey”

Mystery Solved

The above information was used to determine exactly what happened: On November 1st,  Michael Allen began work as a contract employee performing basic network administration for “Alpha Chemicals.” Michael was the type of person you’d like your daughter to date–nice, charming and intelligent.  He was a quick study, sociable, and quickly made friends with many people in R&D, application development, infrastructure engineering and operations.  On November 2nd, while troubleshooting a network problem using a packet sniffer, Michael encountered  a number of packets which contained the words “Transparent Aluminum” and “Confidential.”  Michael proceeded to approach a man by the name of Bob Darwin who worked in the R&D department and asked him what he knew about the compound, “Transparent Aluminum.”  Bob revealed no information other than stating that it was the companies next blockbuster product.  In mid-November Michael started dating a girl by the name of Carol Edwards.  Carol had been with Alpha Chemicals for 20 years and enjoyed Michael’s company. Carol was a Domain Administrator within the IT Department with responsibility for all of the R&D servers, meaning  Windows 2003 and 2008 File Servers, Solaris Servers, SharePoint R&D Sites and both EMC and NetApp NAS storage.   Dawn Franklin was a close friend of Carol’s .  Dawn was the Exchange administrator and had Exchange Admin privileges within the entire Exchange environment. Michael, Carol and Dawn frequently ate lunch together and were also frequent visitors to the local pub, Scruffy’s.  Apparently on November 17th, after a drink-fest at Scruffy’s, Michael obtained Carol’s domain admin password…and “Allen Carey” was conceived.

Intelligent Forensics

Companies require the ability to correlate malicious activities performed on disparate platforms with context about the sensitivity of company data, and authorization/permission changes. For example, in the above scenario, a company would require the ability to:

  • Monitor Active Directory user and group permission changes
  • Monitor access activity by domain administrators and local administrators
  • Monitor access activity within SharePoint Servers
  • Monitor Access activity within Windows 2003 and Windows 208 File Servers
  • Monitor permission changes within Exchange
  • Monitor access activity within Exchange mailboxes
  • Monitor access activity within Exchange Public Folders
  • Determine where their sensitive information is located
  • Monitor email opened by people other then the owner of the mailbox
  • Monitor email transmitted outside the company
  • Monitor email sent by people other then the owner of a mailbox
  • Monitor the people who are marking email as “unread”

DatAdvantage provides these capabilities. Want to see for yourself? Sign up for a free 30-day evaluation of the entire Varonis Data Governance Suite today.

7 Recommendations for Data Protection by Forrester’s Andras Cser

Last week Varonis hosted a webinar on using strong identify context to help protect data, where I was joined by Andras Cser of Forrester. Andras shared really interesting insights on the impact of data breaches, what got stolen, how they happened, and what you can do to better protect yourself.

On topic of entitlement reviews, Andras shared, “You have to get into a fairly rigid and rigorous structure of attestations, and basically that means you would want to have a campaign that runs every quarter, clearly understand the mappings between people, groups and resources that they’re accessing, and have managers look at their employees’ access rights, data elements, data access, and also application users should be granted some way of overseeing who has access to the data their application actually generates.”

Andras also shared illuminating key case studies from organizations that are protecting hundreds of terabytes to petabytes of data that are growing at 1-2.5% per week. It was fun for me to hear a fresh perspective on what works and what doesn’t when you’re trying to manage and protect data at scale.

Some of Andras’ recommendations were:

To see all seven of Andras’ recommendations, register to download and watch the full data protection webinar here.

Improve Data Protection, Win $500 Gift Card

Regulation in IT is nothing new, especially for those of us who’ve ever worked in the financial, government or health care sectors. What’s changing is the breadth of regulations–how much we actually need to do–and the types of information and systems these regulations apply to. No longer is it just the mainframes and other transactional systems, for instance. People now have to ask themselves “How safe is our unstructured data?” and  “Are we in compliance with new regulations?” One comment I heard recently was along the lines of, “The terrifying thing is that we have no idea whether anything on the NAS is subject to regulation because we’ve never done anything to audit it.” Of course, data security has always been a concern but with the growing threat from internal and external breaches, and a new major Wikileaks story in the news seemingly every month, companies are up against a wall and need some help to analyze the scope of the problem and figure out solutions. I think many of us would just like some help knowing where to begin.

At Varonis we have a lot of experience helping our customers with these problems, and we want to help you see where you stack up compared to other organizations. Take our free 2 minute assessment on your data protection preparedness and we’ll enter you to win a $500 gift card! Click here to access the assessment or copy the following link into your browser:

Everyone who fills out the survey will get our comprehensive report on the state of data protection preparedness once the results have been analyzed.

Using Varonis: The Path Beyond Data Classification

(This one entry in a series of posts about the Varonis Operational Plan – a clear path to data governance.  You can find the whole series here.)

Data Classification is important because it helps us figure out where the most important data sits, but it should be a goal on its own. Just understanding what data is sensitive isn’t enough to protect it. You need to understand how it’s being used, including who has access, who’s using it, and who it belongs to. You need context around the data in order to really begin to protect it. Rob Sobers put together a recent white paper on the importance of enterprise context awareness, which is worth a read and offers some great background on this topic.

Step 2: Identify Data That’s Most at Risk

The first step in our plan was to figure out what’s the most valuable by defining criteria that describe likely valuable data (e.g. content, access activity, accessibility) and then using automation to identifying where the data that matches those criteria exists in the environment. This is basically what we’re doing with DLP data at rest, if you recall. But just scanning for sensitive data isn’t enough to fix any problems, a point I’d like to illustrate by relaying a conversation I had with a customer last year. They were a mid-size educational institution of about 15,000 users and had just implemented data classification through a DLP tool. The scan took a fair amount of time, and at the end they’d identified 193,000 some-odd violations, or instances of a file containing possibly sensitive information. What the CISO told me was, “Yesterday I had one problem: where’s the sensitive data. Today I have 193,000 problems.”

It was a really concise way to summarize the problem: just finding data doesn’t really get you much. You already knew there was a lot of it out there, but knowing where it is doesn’t actually fix the problem. The goal is to restrict access to just those who need it and then monitor access so none of it is lost. To do that, you need context, and that means learning more about the data.

Since Varonis can synthesize multiple types of metadata, the next step in our methodology is to identify exactly what data is most at-risk. Which of the folders that contain those 193,000 files need to be fixed immediately?

To answer that question, Varonis combines data classification–either from our own scanning engine or from a DLP or another classification product–along with the other metadata we have available: permissions, access activity, and the user and group information from directory services. Which should be higher on your triage list for access control cleanup, a folder that contains 40 credit card numbers open to 20 people that nobody ever touches, or a folder open to the Everyone group with 300 credit card numbers that’s being constantly accessed? The latter represents a much greater risk to the organization, since looser permissions and a higher level of activity mean that data is far more likely to be deleted, stolen or misused in some way. By the way, Varonis has a built in report for this, and it’s usually one of the first things reports our customers do review when they evaluate the product.

It’s not always just about sensitive data, either. Many of our customers simply want to clean up permissions, whether sensitive or not. We’ve been hearing a lot about “open share” projects and the like lately, and it’s basically the same thing: find shared data that’s at-risk and then remediate that. DatAdvantage also has reports that help you identify where folders are open to global access groups like Everyone, Domain Users and Authenticated users as well as who is accessing data via these groups. It’s a similar example to the one above: which is more important? Data open to Everyone that nobody users or data open to Everyone that lots of people are using (and who wouldn’t have access otherwise)? Varonis can point all that out with built-in reports.

Next, we’ll look at how to go about fixing these problems.

Image credit: jurvetson

Case Study: Matanuska Telephone Association

Matanuska Telephone Association (MTA) is a co-operative telecommunications service provider that offers its members local telephone services, high-speed Internet access, wireless phone service, digital television and managed business services.

Like many organizations, there were occasions when MTA’s employees would inadvertently move, rename, or accidentally delete files. Finn Rye, MTA’s Information Security Officer, and his team would try to locate or recover the information. The hours spent manually tracking down data were significant, which meant that Rye’s team was often unable to attend to other, more pressing matters.

Further, for internal compliance requirements, MTA’s Performance Integrity office mandates that Rye’s team be able to verify who has access to which data and what files those individuals actually access.

MTA recently deployed Varonis® DatAdvantage® for Windows. DatAdvantage provides a searchable and sortable complete audit trail, which includes “delete” events in files and folders. The Audit Trail provided Rye’s team the ability to find deleted or moved files and to determine how it happened.

“Without DatAdvantage®, we simply weren’t able to do the investigation or incident responses we can now,” Rye said.

Rye’s team has configured automatic alerts and reports to obtain the visibility and control they needed, fulfilling their compliance requirements. Now they can identify sensitive files and folders, and determine who should and should not have access to them.

“It was virtually impossible before Varonis®,” he said. “We just didn’t have the logging capacity or a way to search in an efficient manner.”

Varonis® DatAdvantage® for Windows provided MTA ability to analyze and audit access, visibility into their permissions structure and actionable intelligence on how to remediate excessive permissions; this is why MTA chose Varonis. To read the complete case study, click here.

Finn Rye is MTA’s information security officer – his department oversees the company’s information security initiatives for MTA’s 400+ full-time employees.

In Data Security, You’re Only As Strong As Your Weakest Link

Reporter: “Why do you rob banks?”

Willie Sutton (bank robber): “Because that’s where the money is.”

That’s Sutton’s law.  It seems obvious, but it’s so very true.  The law also holds true for hackers– they will attack systems that  store valuable data.

So where might that be?  My first guess would be the iron-clad data centers of the world’s largest banks, pharmaceutical companies, defense contractors, governments, and Fortune 500 corporations.  They are the big juicy targets, right?  But attractive targets aren’t necessarily easy targets.

Today, banks and other high profile institutions have state-of-the-art data protection in the form of firewalls, two-factor authentication, sophisticated encryption, and Varonis.  Hence the term “bank-level security.”  As a result, hackers have to weigh the value of a successful attack against the difficulty of breaching the target.

What if there were a way to seize a corporation’s digital secrets without having to penetrate their heavily fortified walls?  A group of Chinese hackers figured out a rather cunning way to do it – infiltrate the company’s much more vulnerable law firm instead!

According to Mandiant, a Virginia-based security firm, 80 major US law firms were hacked last year.  Clearly, law firms are becoming a primary back door that hackers are using to gain access to valuable corporate data.  But it’s not just law firms we have to worry about, unfortunately.

Any time you send an email to another party—e.g., law firms, accountants, consultants—or transfer confidential documents to DropBox or Google Docs, you’re implicitly trusting that they take security as seriously as your own security admins do, and that they can determine, at all times, who can access your data and who is accessing your data.

The fact is that many organizations, including the growing number of cloud service vendors, haven’t even scratched the surface when it comes to serious data protection and security.  The message is clear: start now.  Your customers will demand it.

Who Is TRYING To Access Your Data?

In our previous post we discussed how over 80% of data breaches are considered “opportunistic.” The majority of them are regular employees who have excess permissions, who abuse their access to obtain sensitive information. When we take these two things into account we can confidently say that a primary area of risk is where regular employees have excess permissions and access to valuable information.

Organizations often have difficulty answering a critical question in order to effectively protect their data: Who or what might be TRYING to determine if they have access to data that they shouldn’t?

Varonis DatAdvantage Accessed Denied Events

Varonis DatAdvantage can show exactly who's trying to access data

In addition to its already powerful and complete audit trail of successful activities, Varonis DatAdvantage version 5.7 now leverages its Metadata Framework to collect, process, and report on “access denied” events on Windows servers. These events occur when people try to access a folder or file and the ACL does not permit them. If we see a lot of access denied events, this may indicate that the computer is infected with a worm, or the user is poking around looking for valuable data or tying to search/index a large amount of information that they don’t have access to.

DatAdvantage also provides the functionality to alert when it detects statistically significant spikes in activity; these alerts now include access denied activity. Organizations can use this information as a trigger for further investigation to determine why a user may be trying to access data that he doesn’t have permissions to access.

By adding “access denied” events, Varonis has enhanced its audit trail, providing our customers with an efficient and effective way to know who is accessing their data, what are they doing with it, where sensitive data is overexposed, how to fix it, and now who is trying to access data they don’t have access to.

Organizations will be able to implement preventive controls and detect a possible threat at a much earlier stage, before a potential data breach takes place. They’ll have more detailed visibility and control over the primary area of risk: regular employees with excessive permissions.

To request a demo of Varonis DatAdvantage 5.7 click here